Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2020
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Compromised Dozens of News Websites as Part of Ransomware Campaign

Malware used to download WastedLocker on target networks was hosted on legit websites belonging to one parent company, Symantec says.

Attackers recently compromised dozens of US newspaper websites belonging to the same parent company and used the sites to distribute malicious code for downloading ransomware on networks belonging to targeted organizations across multiple sectors.

Several major US organizations that were recently found infected with the malware appear to have been initially compromised when their employees visited one of the news websites, Symantec said.

The security vendor last week had reported discovering "SocGholish," a JavaScript-based malware masquerading as a software update, on networks belonging to at least 31 major enterprise customers. A Russia-based group called Evil Corp. is using the malware as part of an attack sequence to download a new ransomware strain called WastedLocker on target networks, Symantec had noted. 

Among the Symantec customers impacted in the campaign are 11 publicly listed organizations, including eight in the Fortune 500 list. A plurality of the victims are in the manufacturing sector, though organizations from other industries were hit as well, including financial services, healthcare, energy, and transportation. In each case, the attacks were detected and stopped before the ransomware deployed.

Had the attacks succeeded, the victims would have likely lost millions of dollars in downtime and damages. The attacks could also have had a cascading effect on the US supply chain, Symantec said. "The end goal of these attacks is to cripple the victim's IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion-dollar ransom," the vendor said in its report last week.

Evil Corp. is a well-known threat actor believed responsible for attacks — including those associated with Dridex and Zeus ransomware samples — that have cumulatively cost victims hundreds of millions of dollars in damages. A US federal court last year indicted two members of the gang on charges related to their long-standing criminal campaigns. Both remain at large — one of them with a $5 million US reward on his head.

In its initial report (updated this week), Symantec said its researchers had discovered at least 150 legitimate but previously hacked websites that were being used to host SocGholish and to download it on systems belonging to visitors to these sites.

According to the vendor, its continuing investigation of the campaign showed dozens of the compromised websites were actually news sites belonging to one parent company. Symantec notified the organization of the issue, and the malicious code has since been removed. The fact that as many as 31 of Symantec's enterprise customers were targeted in the attacks suggests that Evil Corp.'s overall WastedLocker campaign is very broad in scope, Symantec noted.

The NCC Group, which has also been tracking the WastedLocker campaign, has described it as targeted and beginning in May 2020. According to researchers from both Symantec and NCC Group, the attackers from Evil Corp. have been using a combination of custom tools and legitimate processes and services to deploy the ransomware to communicate with command-and-control servers and to move laterally on infected networks.

The tools being used in the campaign include PowerShell scripts, the PsExec Windows Sysinternals tool, and the Windows Management Instrumentation Command Line Utility (wmic dot exe), which is being used to disable real-time monitoring and scanning of downloaded files. In many of the attacks, the threat actors have attempted to disable Windows Defender and associated services before deploying the ransomware.

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...